Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: [Samba] DC2 denies access when saÂving through the Group PoÂlicy Management Console
181 views
Skip to first unread message
?icro MEGAS
Nov 1, 2014, 11:30:03 AM11/1/14
to
Hello list,
I am not sure if this is a bug or known already but I will describe it. I have two domain controllers running on 4.1.12/sernet which are linked together. I am using unison for bidirectional sync for the sysvol directory as described on samba's wiki, although in my opinion the problem I will describe in the following has nothing to do with the sync process. The sync occurs every 5min.
On a win7 client I open the Group Policy Management Console (run/execute the command "gpmc.msc"). When i right-click on the left pane onto my domain name "mydom.example.com" I can choose "Change Domain Controller...". Inside the window which is opened, on the bottom I see my two domain controllers which I can choose I'd like to connect to. Whatever I can configure while connected on DC1, the changes are propagated to DC2 after max. 5minutes and I can check that the settings are successfully transferred to DC2.
But ==> Whenever I try to make modifications while connected to DC2 I get errors like "No permission" or "Error 0x80070005 during the save ... Access denied" and stuff like that. I cannot modify settings on DC2, why? Shouldn't it normally work?
Mirco.I think I am approaching the issue. When I am logged in with a domain admin account on the windows machine and try to access the share \\dc1\sysvol or \\dc2\sysvol I get access denied. So I did "getfacl /var/lib/samba/sysvol" on both, DC1 and DC2 and the result is...
# file: sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
As you see, the gid=3000000 is not resolved on my domain controllers, thus it's explained why my domain admin account cannot access the share. The strange thing is: why am I able to make modifications on GPOs on DC1 ?? And the most important question: how do I reset/setup the correct acl parameters for sysvol? I want to add, that I don't use winbind on DC1 or DC2. Do I really have to enable winbind also on DC1+DC2? Please give me some advice.
Thank you.
Mirco
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I am not sure if this is a bug or known already but I will describe it. I have two domain controllers running on 4.1.12/sernet which are linked together. I am using unison for bidirectional sync for the sysvol directory as described on samba's wiki, although in my opinion the problem I will describe in the following has nothing to do with the sync process. The sync occurs every 5min.
On a win7 client I open the Group Policy Management Console (run/execute the command "gpmc.msc"). When i right-click on the left pane onto my domain name "mydom.example.com" I can choose "Change Domain Controller...". Inside the window which is opened, on the bottom I see my two domain controllers which I can choose I'd like to connect to. Whatever I can configure while connected on DC1, the changes are propagated to DC2 after max. 5minutes and I can check that the settings are successfully transferred to DC2.
But ==> Whenever I try to make modifications while connected to DC2 I get errors like "No permission" or "Error 0x80070005 during the save ... Access denied" and stuff like that. I cannot modify settings on DC2, why? Shouldn't it normally work?
Mirco.I think I am approaching the issue. When I am logged in with a domain admin account on the windows machine and try to access the share \\dc1\sysvol or \\dc2\sysvol I get access denied. So I did "getfacl /var/lib/samba/sysvol" on both, DC1 and DC2 and the result is...
# file: sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
As you see, the gid=3000000 is not resolved on my domain controllers, thus it's explained why my domain admin account cannot access the share. The strange thing is: why am I able to make modifications on GPOs on DC1 ?? And the most important question: how do I reset/setup the correct acl parameters for sysvol? I want to add, that I don't use winbind on DC1 or DC2. Do I really have to enable winbind also on DC1+DC2? Please give me some advice.
Thank you.
Mirco
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
Nov 1, 2014, 12:20:03 PM11/1/14
to
expect, if you open idmap.ldb in ldbedit, you will find that '3000000'
comes from the well known SID 'S-1-5-32-544', this is the
'Administrators' group in AD.
The others are:
3000001 S-1-5-32-549 Server Operators
3000002 S-1-5-18 Local System
3000003 S-1-5-11 Authenticated Users
If you need to reset the sysvol ACL's, then there is a command for it:
samba-tool ntacl sysvolreset
You can check the ACL's on sysvol with:
samba-tool ntacl sysvolcheck
You do not need to run either, your ACL's are correct
You are using winbind on the server, it is either built into the samba
daemon, or if you are running 4.2, it is now called 'winbindd' and is
started by the samba daemon.
I think that your problem is that when you join another DC to the
domain, idmap.ldb is not replicated, so when you sync sysvol from the
first DC to the second the 'xidnumbers' i.e. '3000000' do not match what
is in idmap.ldb on the second DC, so the permissions are not correct,
the cure is to copy idmap.ldb from the first DC to any other DC's.
Rowland
?icro MEGAS
Nov 1, 2014, 3:30:04 PM11/1/14
to
> Rowland wrote:
> You can check the ACL's on sysvol with:
> samba-tool ntacl sysvolcheck
Hi Rowland,
> You can check the ACL's on sysvol with:
> samba-tool ntacl sysvolcheck
when I execute that command on either DC1 or DC2 I get following uncaught exception error :-(
$ samba-tool ntacl sysvolcheck
ERROR(): uncaught exception - ProvisioningError: DB ACL on GPO file /var/lib/samba/sysvol/mydom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Documents & Settings/fdeploy.ini O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run
lp)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1726, in checksysvolacl
direct_db_access)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1634, in check_dir_acl
raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
Why that? Do I have to worry about that error? Is this a known bug or something like that? I am running Samba 4.1.12/sernet on Debian Wheezy.
> You are using winbind on the server, it is either built into the samba
> daemon, or if you are running 4.2, it is now called 'winbindd' and is
> started by the samba daemon.
> I think that your problem is that when you join another DC to the
> domain, idmap.ldb is not replicated, so when you sync sysvol from the
> first DC to the second the 'xidnumbers' i.e. '3000000' do not match what
> is in idmap.ldb on the second DC, so the permissions are not correct,
> the cure is to copy idmap.ldb from the first DC to any other DC's.
After that action I rechecked, but the problem still exists. I can describe the issue more detailled: I can create a new GPO on DC1 and name it "new-test-gpo-created-on-dc1". Inside this GPO I choose the setting "something" and ENABLE it. After 5 minutes this GPO is replicated to DC2. I see the change there.
When I connect to DC2 through GPMC and create a new GPO called "new-test-gpo-created-on-dc2" and set the configuration "foobar" to DISABLE and wait 5minutes, then this GPO "new-test-gpo-created-on-dc2" cannot be edited on DC1 or DC2. I get the error "System cannot find the specified path" (Note: I translated on my own into english, so this might not be the original error message).
I guess that the problem is related to the uniscon bidirection sync I configured according to https://wiki.samba.org/index.php/SysVol_Bidirectional_Replication
The logfile created by sysvol-sync looks like that:
[...]
2014/11/01 20:10:02 [27755] .d..t...... sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/
2014/11/01 20:10:02 [27755] cd+++++++++ sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Documents & Settings/
2014/11/01 20:10:02 [27755] cd+++++++++ sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Scripts/
2014/11/01 20:10:02 [27755] cd+++++++++ sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Scripts/Logoff/
2014/11/01 20:10:02 [27755] cd+++++++++ sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Scripts/Logon/
2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User/Documents & Settings
2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User/Documents & Settings
2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User
2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User
2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/Adm
2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/Adm
2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}/Adm
2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}/Adm
2014/11/01 20:10:02 [27755] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
2014/11/01 20:10:02 [27755] sent 7802 bytes received 50 bytes 5234.67 bytes/sec
2014/11/01 20:10:02 [27755] total size is 0 speedup is 0.00
UNISON 2.40.65 started propagating changes at 20:10:02.45 on 01 Nov 2014
[CONFLICT] Skipping sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
[CONFLICT] Skipping sysvol/mydom.example.com/Policies/{58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F}/Machine/Registry.pol
[CONFLICT] Skipping sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
[BGN] Updating file sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/GPT.INI from /var/lib/samba to //dc2//var/lib/samba
[END] Updating file sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/GPT.INI
[BGN] Copying sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Registry.pol from /var/lib/samba to //dc2//var/lib/samba
/usr/bin/rsync -XAavz --rsh='ssh -p 22' --inplace --compress '/var/lib/samba/sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Registry.pol' 'root@dc2:'\''/var/lib/samba/sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/.unison.Registry.pol.a3c7ed9ae723707cd04ca2e02a97e300.unison.tmp'\'''
[END] Copying sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Registry.pol
UNISON 2.40.65 finished propagating changes at 20:10:02.60 on 01 Nov 2014
Synchronization complete at 20:10:02 (2 items transferred, 3 skipped, 0 failed)
skipped: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
skipped: sysvol/mydom.example.com/Policies/{58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F}/Machine/Registry.pol
skipped: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
2014/11/01 20:15:02 [27956] building file list
2014/11/01 20:15:02 [27956] done
2014/11/01 20:15:02 [27956] .d..t...... sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/
2014/11/01 20:15:02 [27956] .d..t...... sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/
2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User/Documents & Settings
2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User/Documents & Settings
2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User
2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User
2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/Adm
2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/Adm
2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}/Adm
2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}/Adm
2014/11/01 20:15:02 [27956] cannot delete non-empty directory: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
2014/11/01 20:15:02 [27956] sent 5902 bytes received 18 bytes 3946.67 bytes/sec
2014/11/01 20:15:02 [27956] total size is 0 speedup is 0.00
UNISON 2.40.65 started propagating changes at 20:15:02.29 on 01 Nov 2014
[CONFLICT] Skipping sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
[CONFLICT] Skipping sysvol/mydom.example.com/Policies/{58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F}/Machine/Registry.pol
[CONFLICT] Skipping sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
[BGN] Updating file sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/GPT.INI from /var/lib/samba to //dc2//var/lib/samba
[END] Updating file sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/GPT.INI
UNISON 2.40.65 finished propagating changes at 20:15:02.30 on 01 Nov 2014
Synchronization complete at 20:15:02 (1 item transferred, 3 skipped, 0 failed)
skipped: sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
skipped: sysvol/mydom.example.com/Policies/{58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F}/Machine/Registry.pol
skipped: sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
Mirco.
Rowland Penny
Nov 1, 2014, 4:00:04 PM11/1/14
to
On 01/11/14 19:21, ?icro MEGAS wrote:
>> Rowland wrote:
>> You can check the ACL's on sysvol with:
>> samba-tool ntacl sysvolcheck
> Hi Rowland,
>
> when I execute that command on either DC1 or DC2 I get following uncaught exception error :-(
>
> $ samba-tool ntacl sysvolcheck
> ERROR(): uncaught exception - ProvisioningError: DB ACL on GPO file /var/lib/samba/sysvol/mydom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Documents & Settings/fdeploy.ini O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run
> lp)
> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1726, in checksysvolacl
> direct_db_access)
> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl
> domainsid, direct_db_access)
> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1634, in check_dir_acl
> raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
>
> Why that? Do I have to worry about that error? Is this a known bug or something like that? I am running Samba 4.1.12/sernet on Debian Wheezy.
OK, make sure that the two idmap.ldb files match and then run
>> Rowland wrote:
>> You can check the ACL's on sysvol with:
>> samba-tool ntacl sysvolcheck
> Hi Rowland,
>
> when I execute that command on either DC1 or DC2 I get following uncaught exception error :-(
>
> $ samba-tool ntacl sysvolcheck
> ERROR(): uncaught exception - ProvisioningError: DB ACL on GPO file /var/lib/samba/sysvol/mydom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Documents & Settings/fdeploy.ini O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run
> lp)
> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1726, in checksysvolacl
> direct_db_access)
> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1677, in check_gpos_acl
> domainsid, direct_db_access)
> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1634, in check_dir_acl
> raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
>
> Why that? Do I have to worry about that error? Is this a known bug or something like that? I am running Samba 4.1.12/sernet on Debian Wheezy.
'samba-tool ntacl sysvolreset' on both machines and see if this cured
this problem.
>
>> You are using winbind on the server, it is either built into the samba
>> daemon, or if you are running 4.2, it is now called 'winbindd' and is
>> started by the samba daemon.
> as I am on 4.1.12 I am still using the old built-in version of winbind. My /etc/default/sernet-samba is set to "ad" mode and "ps aux |grep -i winbind" return no output, so I don't see any winbind process. I hope that's ok and normal behaviour.
>> I think that your problem is that when you join another DC to the
>> domain, idmap.ldb is not replicated, so when you sync sysvol from the
>> first DC to the second the 'xidnumbers' i.e. '3000000' do not match what
>> is in idmap.ldb on the second DC, so the permissions are not correct,
>> the cure is to copy idmap.ldb from the first DC to any other DC's.
> I cannot imagine why, because according to the wiki (I did read it somewhere on the tutorial when configured DC2) I did manually copy the mentioned idmap.ldb from dc1 to dc2. But right now I checked the two files, they were different (I ran "diff idmap.ldb.from.dc1 idmap.ldb.from.dc2" after I copied them onto a temporary directory). So I again copied the file dc1:/var/lib/samba/private/idmap.ldb to dc2:/var/lib/samba/private/idmap.ldb to ensure they are both the same.
ensure that any changes will take effect.
> After that action I rechecked, but the problem still exists. I can describe the issue more detailled: I can create a new GPO on DC1 and name it "new-test-gpo-created-on-dc1". Inside this GPO I choose the setting "something" and ENABLE it. After 5 minutes this GPO is replicated to DC2. I see the change there.
>
> When I connect to DC2 through GPMC and create a new GPO called "new-test-gpo-created-on-dc2" and set the configuration "foobar" to DISABLE and wait 5minutes, then this GPO "new-test-gpo-created-on-dc2" cannot be edited on DC1 or DC2. I get the error "System cannot find the specified path" (Note: I translated on my own into english, so this might not be the original error message).
information from cache.
Rowland
steve
Nov 1, 2014, 5:30:05 PM11/1/14
to
On 01/11/14 20:21, ?icro MEGAS wrote:
> I guess that the problem is related to the uniscon bidirection sync
Yeah, there's no need to guess. That's it. If it's not completed the
> I guess that the problem is related to the uniscon bidirection sync
internal HA sync, you've had it. The only way we've found to do it is
going down, waiting for an hour then rsyncing one way manually. Wait
again and rsync the other way. Any automation of sysvol sync fails at
some stage because there is no way of predicting when the HA sync has
completed. The lack of sysvol sync at this stage in the history of
Samba4, even with the clout our devs have, says a lot about the
complexity of this process.
Jo,
Achim Gottinger
Nov 1, 2014, 6:10:03 PM11/1/14
to
achim~
0 new messages